From 3350cec589a6343f36e945b8d7ae8b03e09901f1 Mon Sep 17 00:00:00 2001 From: Davidson Gomes Date: Mon, 27 May 2024 16:35:55 -0300 Subject: [PATCH 1/2] fix: security fix in fetch instance with client key when not connected to mongodb --- src/api/guards/auth.guard.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/api/guards/auth.guard.ts b/src/api/guards/auth.guard.ts index 8168e80fa..4ed0898b4 100644 --- a/src/api/guards/auth.guard.ts +++ b/src/api/guards/auth.guard.ts @@ -3,7 +3,7 @@ import { NextFunction, Request, Response } from 'express'; import jwt from 'jsonwebtoken'; import { name } from '../../../package.json'; -import { Auth, configService } from '../../config/env.config'; +import { Auth, configService, Database } from '../../config/env.config'; import { Logger } from '../../config/logger.config'; import { ForbiddenException, UnauthorizedException } from '../../exceptions'; import { InstanceDto } from '../dto/instance.dto'; @@ -58,6 +58,7 @@ async function jwtGuard(req: Request, res: Response, next: NextFunction) { async function apikey(req: Request, _: Response, next: NextFunction) { const env = configService.get('AUTHENTICATION').API_KEY; const key = req.get('apikey'); + const db = configService.get('DATABASE'); if (!key) { throw new UnauthorizedException(); @@ -79,7 +80,7 @@ async function apikey(req: Request, _: Response, next: NextFunction) { return next(); } } else { - if (req.originalUrl.includes('/instance/fetchInstances')) { + if (req.originalUrl.includes('/instance/fetchInstances') && db.ENABLED) { const instanceByKey = await repository.auth.findByKey(key); if (instanceByKey) { return next(); From 2e9c14a0a821ac62cba640088cd6b52ccbafb546 Mon Sep 17 00:00:00 2001 From: Davidson Gomes Date: Mon, 27 May 2024 16:35:59 -0300 Subject: [PATCH 2/2] fix: security fix in fetch instance with client key when not connected to mongodb --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d07c575a3..06379d809 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Fixed * Correction in message formatting when generated by AI as markdown in typebot +* Security fix in fetch instance with client key when not connected to mongodb # 1.7.5 (2024-05-21 08:50)